Newsflash message not properly escaped when populating the addevent form, may result in message being clipped

[carrythebanner]

As noted in #799 there looks to be some unexpected clipping of the newsflash message.

It seems that the initial value is saved to the database properly and also returned properly via retrieve_event. When the message is populated into the form, however, the string is assigned to the value attribute of an input and apparently not properly escaped.

https://github.com/shift-org/shift-docs/blob/ac9606890ebd336d6db25bfa6babd1ddbdece32e/site/themes/s2b_hugo_theme/assets/js/cal/addevent.js#L368 https://github.com/shift-org/shift-docs/blob/ac9606890ebd336d6db25bfa6babd1ddbdece32e/site/themes/s2b_hugo_theme/assets/js/cal/datepicker.js#L24

Example

Listing 11901 (calevent id) has 2 occurrences, 19594 and 19780 (caldaily ids).

The full newflash message should be: Moved ride to today should be more acclimated to everyone's liking. I needed more time to acclimate to the heat before I did this with you guys.. … but only the portion up to the first quote mark (') is shown: Moved ride to today should be more acclimated to everyone

Presumably, if the event were saved in this state, the truncated message would be sent to the server and the rest of the message would be lost.

[ionous]

yeah, it looks like the reason that title, etc. are okay -- is because they go through mustache, and mustache has proper escaping.

buildSortedDatesListHTML() does it manually, without the escaping

            "<input ",
                            "type='text' ",
                            "class='newsflash' ",
                            "value='" + dateStatusNewsFlash,
                        "'>",

making the <li> a mustache template might be a decent fix